President elect Barack Obama’s embrace of online video and social networking may have propelled him to victory, but unless he’s careful, his administration could be brought down by the same sloppy security problems that have plagued MySpace, Facebook, and dozens of other Web 2.0 properties.
A cursory look at Change.gov and …

COMMENTS

Where has the money gone?

You know, with somewhere near $750 million in campaign contributions (during "the worst economic crisis since the Great Depression," no less) you would think Cisco would have a branch office in his headquarters running the network, with ISS and CyberTrust on stand-by. But, oh noes! Someone haxored my intarwebs!

Then this. WTF?? Hey, President-Elect Obama, is this how you plan to budget for and ensure our country's security? I am not at all impressed, nor amused, Mr. "BlackBerry President."

Er.. Typical journalism

"has complete administrative access to one of the government's most important websites. "

Er.. No it doesnt, It mearly means they know that 100,000 users have visited the site, and are mostly running MSIE6

Furthur, "not to make Personal Information available to anyone other than our employees, staff, and agents." Browser information is NOT personal information, It is sent to every website that requests it, therefor, not personal.

Yes, It is possible that the Evil google corporation will modify its tracking javascript to insert malicious links and content into obama's website, But in doing so, they'll be defacing the website, and subject to more than just a few US laws.

Shock horror! The Network link to the website is controlled by a non-government entity! What if the network provider was to redirect visitors to a malicious website instead!, Nevermind the fact that the a non-government server hosts the site!

Look at the registers mailing list sign up, It doesnt use SSL to request my personal details, I somewhat bet the admin area isnt protected by it either, Nor do they host their own servers, Its outsourced to an American company Rackspace.. why wont that company do something to the visitors of theregister.co.uk? their big companies.. not evil empires.

Not yet.

That said, it's disgraceful if whoever maintains his Internet presence is as clueless as this article portrays. I think I smell YetAnotherPaperEngineer[tm] born out of the Web boom who has absolutely zero Internet version of street smarts ...

this "reporter" has no technical skills whatsoever??

"Even more troubling is the discovery that administrative pages for both sites are linked to Google Analytics. This is a hard configuration to make sense of. It means that Google, a private company with important business before the US government, has complete administrative access to one of the government's most important websites."

Too much beer or what? You have absolutely no idea what you're talking about, do you. Maybe you should take Computer Science III and come back to us when you're reporting about something you know about.

Must be a quiet news day

I agree with Dion. What on earth is this article on about? The change.gov site is not in any way sensitive. It doesn't collect personal information, the information on it is not sensitive, and it doesn't allow the public at large to post comments.

The very worst that could happen is that someone gains access to the CMS and posts an article. SSL won't prevent people trying to crack the password, but quite honestly, apart from a script kiddie, who would bother? There is I suppose a tiny risk of an XSS attack, but even that wouldn't be catastrophic.

Security is all about horses for courses. The sites referred to here do not demand a high level of security. It's not like it's the CIA's database of agents' details or something.

Wheres the security problem

So, the GIANT SECURITY RISK to the privacy of every american and/or internet user is that the admin area is on a URL commonly used for admin areas and that the site uses Google Analytics, which doesn't spider pages or give google full administrative access to the site, for usage statistics.

Come back when the username/password are revealed to be admin/admin and I might be a little more interested.

Can somebody explain to me...

@Sean & Dion

Thirded; this appears to be a fairly piss-poor article about nothing in particular; if the author's going to bray about "amateur mistakes", might help if he took the odd pain to avoid the more glaring ones himself.

Reactionaries for life

There's no news today then?

@Where has the money gone?

Bitterness Alan? USA needs him to succeed yet you so want him to fail.

Do you never wonder why so many rich influential people gave so much money to Obamas campaign? Why it's so important that USA changes direction fast?

It's more than a few banks making bad choices. The leverage ratio on the failed Wallstreet banks was increased over the last years to as high as 39. i.e. $38 imaginary dollars invested for each real dollar held. All they needed to do was make a 0.3% return from their real+imaginary money to make a 10% return to their investors. As the returns in the US fell the Treasury let these banks increase their leverage ratios to compensate.

Paulson has been letting them hide their problems for years, if they went under it meant that no plausible leverage ratio could keep them afloat, i.e. their losses were greater than their real assets and they were bankrupt 39 times over.

This is why Paulsons concentrating on banks in particular because the leverage ratio means they need the belief in those $38 imaginary dollars to be kept alive, without that belief you have an asset worth 1/39th it's perceived value. It's like fairies, if you don't believe in them, they vanish.

You don't realize how close you are to a Soviet Union style collapse here. If I was you I'd suck it up and hope he can turn it around.

Tosh!

Dan, this is a non story. I just watched breaking glass last night by chance and it reminds me just of that. A pretty much fabricated story about nothing. Please check your facts and learn a little about the internet before writing more articles for our precious Register.

*sniff sniff*

Oh dear

There doesn't seem to be much to crow about here. OK so we can get to the login page for the CMS. Not a great idea. But the rest of the article? A lot of fuss about nothing. Do Reg readers need to be told what the s in https means?

Really stretching, aren't you?

> This is a hard configuration to make sense of. It means that Google, a private company

> with important business before the US government, has complete administrative access

> to one of the government's most important websites.

Double-fail. It's not clear that Google has anything like "complete administrative access" from what you present, unless you are suggesting that the only way the script links could have gotten in there is that Google hacked in and planted them. Secondly, this is hardly "one of the government's most important websites." MyBarackObama isn't a government website at all, and Change.gov is about recruiting people and explaining a transition of power. The U.S. government has .mil, FDA, IRS, INS, and a plethora of other TLAs that are more important.

> It would also appear to run contrary to this privacy policy pledging "not to make Personal

> Information available to anyone other than our employees, staff, and agents."

If we make the reasonable assumption that Google was just hired to track visitor stats for the site, and that they agreed to keep these stats confidential, then they are precisely the kind of "agent" the privacy policy is talking about, and they still would not need to have administrative access to the site. How about just asking those press contacts if that's what's going on?

The only good thing about this article is that it's the first time I have heard SSL defined as "the 's' following a web address's 'http' that assures you the connection is encrypted." It's fun to think of other things you can describe this way: The Underground is that red circle with a line through it that means you can get places without a car.

@ Dion

Re: Lame

"Allowing snivelling dolts like ratcliff to honk his useless republican head off braying about something which doesn't exist."

Cannot spell sniveling, nor my last name. Hell, he could have copied and pasted it, FFS. Eh, but that is what makes a troll a troll.

But at least Seán has made me take a second look at my voter registration card. I supposed a Republican party vote would be a tactical vote against the Obama camp for most of us NPA types. Perhaps he also exemplifies the frothing masses, about which I have spoken previously.

But let us be fair: McCain got his intarwebs haxored as well. That is common knowledge at this point, having been plastered on every news outlet around this and a few neighboring planets. The point remains that the Obama campaign apparently did not spend a wise amount of the contributions in a place where it should have been: security. Well, unless you count body-guards.

But then that just shows what an "everyman" he really is, does it not? I mean, how many people on the street really understand the value and importance of cyber-security? (Please refrain from answering a rhetorical question.)

Then again, no one who visits the websites should have anything to hide, so they should not be worried about local browser storage, security in-transit, or the apparent potential of a back-end database compromise.

Seán, read my name again to get the correct spelling. I want it emblazoned in your enraged skull while you finish your cup of whatever, wherever you are, and let it lull you to sleep tonight as the day's last bits of froth crust over on your cheek, waiting to be resurrected in the morning when joined by a fresh batch free-flowing from somewhere deep in your brain.

You have...

...NO idea what you're talking about. I wanted to rebut some of the complete and utter nonsense that Dan Goodin wrote in this article, but really couldn't be bothered.

ElReg, next time you pay people to write about web technology, check that at the very least they know about web statistics before letting him loose on a keyboard. Havinvg completed content management systems 101 also wouldn't go amiss. Just a thought.

As per Dion

SO.... WHAT.....

The artical is just pure El Reg Hype. We havent had to much of this for a while. Are we yank baiting again, hoping to get a few Pro and Anti Obama people on hear frothing at the mouth? Or is it that someone was trying to ban you from using a red banner?

It's not just their webmaster that's sloppy

Why the derision?

Does someone seriously think an external javascript file outside your control is a good thing to be loading on every client that visits the admin interface of you web app? Does everything believe that not only does Google corporately do no evil, but so does every single one of its employees, and this situation is never likely to change? Does someone, in fact, have a good reason for needing demographic info from your admin page anyway? (Note: "The google analystics code is in the header we include in each web page" is not a good reason)

Is this a problem? No. Is it a potential problem? Yes, but unlikely. Is it easily avoided? Yes. Are there any downsides to eliminating the potential problem? No. Seems clear-cut to me.

@Can somebody explain to me...

>...how the use of Google Analytics is a massive security flaw?

For the purposes of this explanation, I'm assume that Google wants to hack into the site. (I don't believe Google does, and I do believe Google has sufficient security that no-one else could do what I'm about to describe).

When the change.gov login page is loaded it loads some Javascript (urchin.js) from Google's servers and runs it in the context of the page. Google can change what that script does. For example, they could add code to it so when it is on the change.gov login page, it modifies the "Login" button to send the username/password to Google (via AJAX) just before it actually logs in. This might be a fraction slower than normal, but it's unlikely that the person logging in would notice. So as soon as an authorised administrator logs into change.gov, then Google get the password and can use it to access the website.

West-coast guilt

The US media did not exactly give Obama a hard time in the run up to his electoral success, and are starting to feel guilty about the shattered dreams of that poor old dude from Arizona. So they're trying to make up for it.

Unfortunately, Obama has yet to put a foot wrong, but you've got to work with what you're given, right? So some dolt using the same page template for the public and private parts of the CMS is the best they've got at the moment.

@If you can do, if you can't

> First the logon link does track to a https server - and is therefore secure

Rubbish.

How do you _know_ the logon link goes to a https server? Every time you login, do you examine the source code for the entire page (including all included Javascript files) to make sure it's not going somewhere else? No, I didn't think so.

So basically it's secure if no-one changes your HTTP login page... oh wait, against an active attacker we just lost all the benefits of HTTPS. (Against a passive attacker who can sniff your traffic but not change anything, I'll agree with you that HTTP / HTTPS for the login page doesn't matter. But I think an active attacker is actually more likely than a passive one - e.g. see the DNS & routing exploits from the last year).

> sourceforge did the same for years

Once upon a time, HTTPS was new, incompatible, and slow. Fortunately the world has moved on, none of those excuses are valid any more.

@Socialism

"So, the answer to avoid a "Soviet Union style collapse" (please note, HIS capitalisation, not mine) is to depend on the most socialist-oriented candidate ever elected to the office? There must be logic there somewhere, but I fear it is straight out of the pretzel bakery."

Do you think Bush is a small government, free market capitalist? Do you think Stalin or Bresnev was a socialist? If I stick a label "Pretzel" on a loaf of bread, do you think it's a pretzel just because the label says it is?

"I concur with those who note that the attitude toward security shown bears scrutiny by those hundreds of millions whose very lives will be in the hands of this new commander-in-chief. May God have mercy on their souls. Their enemies will surely show no mercy."

When warned about an impending Al Qaeda attack by the CIA against America, Bush did nothing. Again if I stick a label "action hero" on President Bush, would you believe he'd an action hero and not a lazy self serving tosser?

I suspect you're easily fooled by labels.

If I were you I'd back Obama even if he wasn't your candidate because your future interest depends on him being successful.

Worst article ever...

Supporting the future of America

Really, the issue is not a matter of not supporting Obama. If the president fails, the country can spiral into failure as well. Of course it is in our best interest for Obama to succeed, which means that we want him to make intelligent, well-informed, and well-thought out decisions, and actions accordingly.

Being harshly critical does not imply a wish for failure. When your father yelled at you for being a pot-smoking loser with no direction, was he wishing for your failure?

As well, Osama bin Laden was a threat for a long time. Name something that Clinton did during his administration that would have prevented the eventual assault on America.

See, my issue is that of the attack on the past "eight years of failed policy." I am sorry to disappoint people who belong to the modern culture of negativity, but what we really need is to look at the past 16 to 20 years, and possibly beyond, of American policy to find out what went wrong and fix it. America is not broken, but it has some broken parts to it, and it is still a great country in which we can all believe.

We are still a young country, barely two and a-half centuries, and we are still going to make mistakes. But smart people in a smart country learn from those mistakes, not waste time and energy pointing fingers and figuring out who to blame as if that will magically solve any problem. WE are to blame, for everything. So shut up, get up, and do something about it. I sure as hell have, and am, you whiny bitches.

Web Security 101 - some readers don’t seem to understand

1) When a third-party JavaScript widget (like Google Analytics) on any web page, the upstream provider may push whatever code they want down to the user, anytime they want. In this particular case, as a matter of normal usage, the access details by "administrative users" of change.gov are being sent/logged by Google (a private company) automatically. Anytime the admins post a story, change a template, add new users, whatever... the information is sent to Google. Sure, Google is probably doing nothing sinister, but absent of a FOIA request this would seem like a really bad idea to have the admins be tracked.

2) What's also the case is that at anytime should Google Analytics suffer a breach (by outsider or insider) that enabled the downstream JavaScript code to be altered, that code has the exact same privileges as the native code on the change.gov website. It would then be possible to target/infect/hack the admin users and hijack their accounts just like we’ve already seen with these drive-by-download infections. That is why the word “access” is being used in this context.

3) Finally, consider that google-analytics.com is hosted on a non-SSL page. So if an attacker wanted to target an admin user, sniffing/manipulating their change.gov Web traffic can result in the same effects as #2. This is easily down. Another possibility is manipulating the admin users DNS server, enough weaknesses currently exist, where google-analytics would be made to point to a malicious server instead.

@Supporting the future of America

If the finding faults were anything but a desperate attempt to find something bad to say about his support team, the article would not have had the sensationalist language that it did. This is not a case of "the emperor has no clothes," but more one of "the emperor has his cuff-links in backwards." It's a small area for improvement in an unimportant place, and being "harshly critical" is simply out of proportion. Think of the wire hanger scene in "Mommy Dearest."

Some things are just not worth harsh criticism. If you really want to learn from mistakes, then look to mistakes that matter. Your time will be better spent.

@@Can somebody explain to me... (@ frymaster too)

>"When the change.gov login page is loaded it loads some Javascript (urchin.js) from Google's servers and runs it in the context of the page."

No, it doesn't run "in the context of the page". It runs in the context of the google.com domain.

>" Google can change what that script does. "

That is the only correct statement you make in your post. Yes, they can change what it does. But only within the limits of what javascript makes possible for them. They can't, for example, change it so that it jumps out of the computer and kicks your dog. Similarly, they can't modify it to steal the admin login from the change.gov website.

>"For example, they could add code to it so when it is on the change.gov login page, it modifies the "Login" button to send the username/password to Google (via AJAX) just before it actually logs in"

No, they can't do that. You need to go and understand what the "same-domain origin policy" is all about: Google's JS can't access the DOM elements from change.gov, regardless of the fact that they are rendered on the same page, because Google's js is included by reference to a URL from a foreign domain.

This is exactly *not* like an XSS, where you manage to inject code into the actual content of the page so it appears to be coming from the same domain.

@Porter

From your link: "The only exception to the same origin policy is if you are working with documents loaded from any of the subdomains of the current domain. By setting the domain property of the document, scripts residing on a subdomain are allowed access to the scripts on the main domain."

Um ... so your fears could only be realized if Google were attacking itself. Including a script from the google.com domain in your page running from yourserver.net is still a restricted activity that greatly limits what the script can do. This says "you're wrong" in your claim that "yes they could".

And make no mistake about it ... IF some nasty hacker-wannabe managed to modify the Urchin javascript to grab change.gov's login info for the CMS, then that change would effect EVERY instance of that script included in all of code of all of the websites that use it, worldwide.

This is a non-issue. You might as well be complaining that IF someone over at Thawte decided to they could replace all of the verification mechanisms so that all Thawte users would be sending authorization data to a criminal third party. The likelihood is quite near zero that either event would transpire.

It really seems like El Reg has got some anti-Google shills working in upper-management or something. There is no other single website out there that contains so much anti-Google FUD in such an obviously misinformed manner as this one. It's really getting to be rather tiring.

So Glad

Just lovely to know there are folks willing to point out security issues to the public at large... Maybe the world would be a better place if our neighbors took out an ad in the Register every time I forgot to lock my front door instead of letting me know.

Mwahahaha! (and @Ratelif or smtg)

This article is admirable in its commitment to the "absolute security" doctrine, but quite misleading on the real level of the threat, and on the nature of the websites. The, erm, "flaws" described here are risibly harmless. "Ho, look, the President-Elect of the Galaxy only have a standard personal mailbox, anyone with a blowtorch could open it and gain Complete Administrative Control on the Most Important bulk admail and pizza delivery coupons in the Universe!". Yeah, right. And?

At mister II,

"As well, Osama bin Laden was a threat for a long time. Name something that Clinton did during his administration that would have prevented the eventual assault on America."

I don't think the CIA and consorts would have allowed him to harm their beloved child anyway. And NO, I'm not trolling, go get some info if you doubt that. And maybe, just maybe, not being a reckless worldwide bully actually kept the terr'ists troops at a low level.

"We are still a young country, barely two and a-half centuries, and we are still going to make mistakes. But smart people in a smart country learn from those mistakes"

Re: Where has the money gone?

If Obama's sysadmins are worth their salt, the money has been spent on liquid lunches at the nearby Rehydratative Solutions Boutique, where it belongs. And on the real stuff, too, not this hog's urine-like Bud.

@Alan W

"Cannot spell sniveling, nor my last name."

You should realise that snivelling is the correct way to spell the word and your real name is Ratcliffe not the misspelled joke name you share with your alleged daddy. Please try to control your racism in future.

@James Butler

Password Reset

I wonder if the Blue State Digital CMS sends an auto-gen'd password in a plain text email for a password reset. Obviously if they send a new password in a plain text email there is the slight risk it could be intercepted. I've not attempted to reset anyone's password but if they don't ask security questions (you know, like how the El Reg does*) before the reset you could have fun randomly resetting Blue State Staffer's passwords :).

*Paris tagged comments don't require the same level of security as the site of the President-Elect. Maybe Blue State, like the Reg, also saves passwords in plain text in the DB?